CVE-2019-10906

Impact:
Important
Public Date:
2019-04-06
CWE:
CWE-138
Bugzilla:
1698839: CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape

The MITRE CVE dictionary describes this issue as:

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Find out more about CVE-2019-10906 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Virtualization Management Appliance includes python-jinja2 as a dependency of ovirt-engine-backend, which only uses it with controlled format strings that are not exploitable.
Red Hat Satellite 6 will receive fixes through the underlying Red Hat Enterprise Linux, so it won't issue updates to its own affected package.

This issue does not affect versions of python-jinja2 as shipped with:
* Red Hat Enterprise Linux 6, and 7 as python2 does not support str.format_map.
* Red Hat Update Infrastructure as it does not use the Sandbox feature, nor does it allow untrusted jinja2 templates.
* Red Hat Ceph Storage 2, 3 and Red Hat Gluster Storage 3 as python2 does not support str.format_map.
* Red Hat OpenStack Platform 13 or 14 as python2 does not support str.format_map.

CVSS v3 metrics

CVSS3 Base Score 9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-python35-python-jinja2) RHSA-2019:1237 2019-05-16
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-python35-python-jinja2) RHSA-2019:1237 2019-05-16
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-python36-python-jinja2) RHSA-2019:1329 2019-06-04
Red Hat Enterprise Linux 8 (python-jinja2) RHSA-2019:1152 2019-05-13
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-python36-python-jinja2) RHSA-2019:1329 2019-06-04

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-appliance Not affected
Red Hat Software Collections for Red Hat Enterprise Linux python27-python-jinja2 Not affected
Red Hat Satellite 6 python-jinja2 Will not fix
Red Hat OpenStack Platform 14.0 (Rocky) python-jinja2 Not affected
Red Hat OpenStack Platform 13.0 (Queens) python-jinja2 Not affected
Red Hat Gluster Storage 3 python-jinja2 Not affected
Red Hat Enterprise Linux 8 python27:2.7/python-jinja2 Not affected
Red Hat Enterprise Linux 7 python-jinja2 Not affected
Red Hat Enterprise Linux 6 python-jinja2 Not affected
Red Hat Ceph Storage 3 python-jinja2 Not affected
Red Hat Ceph Storage 2 python-jinja2 Not affected

Mitigation

If you cannot upgrade python-Jinja2, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation